-
在
rules/下有子文件夹Template,以此为模板添加新规则组。 -
使用此 JSON Schema 确保规则文件格式正确
-
规则组命名方式为
威胁类别.行为描述/病毒家族。目前的威胁类别可分为:BackdoorExploitRansomSuspiciousTrojanTelmetry- ...
-
当规则组有针对的恶意软件家族时,优先使用恶意软件家族名命名,例如
Trojan.Remcos代表针对Remcos家族的规则。使用行为描述时,以下词语需要缩写以避免名字过长:System->SysProcess->ProcSuspicious->SuspMalicious->Mal- ...
-
每条规则的命名方式为
规则组名.[A-Z]。 -
例外项/自动处理规则请添加在对应的
auto.json文件内。 -
Telemetry 为遥测组别,默认不开启。
-
添加完新规则组后请运行Github Actions
Generate Documentation生成对应规则文档。
-
Under
rules/there is a subfolderTemplate, use this as a template to add new rule groups. -
Use this JSON Schema to ensure that rule files are properly formatted
-
The rule group naming scheme is
Threat Category. Behavior description/virus family. The current threat categories can be classified asBackdoorExploitRansomSuspiciousTrojanTelmetry- ...
-
When a rule group has a malware family to target, the name of the malware family is preferred, e.g.
Trojan.Remcosstands for a rule targeting the Remcos family. When using behavior descriptions, the following terms need to be abbreviated to avoid long names.System->SysProcess->ProcSuspicious->SuspMalicious->Mal- ...
-
Each rule is named by the
rule group name. [A-Z]. -
Exceptions/automatic rules should be added in the corresponding
auto.jsonfile. -
Telemetry rule group is not enabled by default.
-
After adding the new rule group, please run Github Actions
Generate Documentationto generate the corresponding rule file.